Hackers Hiding Web Shell Logins in Fake HTTP Error Pages
"The technique isn't new," nullcookies told Bleeping Computer. "but what I find noteworthy is the increasing frequency of them and how it's easy for someone to miss them unless they're familiar with the technique."
fake 404 not found
If we dig deeper, though, and look at the source of the page, you can see a very different page lurking in the background. The source shows that there is a login form on the page, but it is hidden using CSS that places the login prompt at the very bottom of the page and removes the scroll bar so you wouldn't think to scroll down to see it.
If you use the page down key, though, the login form quickly becomes visible.
Fake 404 Not Found source
Another page we were sent uses the "Forbidden" error message. Like the fake 404 page, this too is hiding a login form in it, but once again the attackers use creative methods to hide the input field.
Fake Forbidden error page In this page, the attacker hides the form field altogether, so even if you attempt to scroll down you won't see it. Instead you need to access the form field by knowing exactly where it is or tabbing into it.
Hidden password field According to nullcookies, web shells hiding behind these fake error pages pose a particular danger to system administrators who may clean up a phishing install, but not realize another page on the site is hiding a web shell that could allow an attacker to easily reinfect the site.
"Some Guy at Some Company will miss those panels because they won't realize there's something to delete in the first place," nullcookies told Bleeping Computer. "One of the reasons that some phishes keep re-appearing even after the webmaster or whoever takes down the phish and attempts to lock everything down.
With that said, if you ever receive reports that your site is compromised and you investigate it, don't automatically assume an error page is legitimate and investigate further by examining the source.
fake 404 not found
No comments:
Post a Comment